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METHOD FOR DELEGATING ACCESS 
RIGHTS THROUGH EXECUTABLE ACCESS 

CONTROL PROGRAM WITHOUT 
DELEGATING ACCESS RIGHTS NOT IN A 
SPECIFICATION TO ANY INTERMEDIARY 
NOR COMPRISING SERVER SECURITY 

COPYRIGHT NOTIFICATION 

A portion of the disclosure of this patent document 
contains material which is subject to copyright protection. 
The copyright owners have no objection to the facsimile 
reproduction, by anyone, of the patent document or the 
patent disclosure, as it appears in the patent and trademark 
office patent file or records, but otherwise reserve all copy- 
right rights whatsoever. 

Software Appendix 

An appendix comprising two printed files is included as 
part of this application. The first file is entitled "Diffs," and 
is 28 pages long plus a cover sheet It represents the 
differences in source code between release 3 of the Andrew 
File System (as it appeared on the Aug. 19, 1990 Mt Xinu 
release tape of the Mach operating system) and a modified 
version of release 3 of the Andrew File System, described 
below, that embodies the method of the present invention. 
The second file is entitled TCLDiffs" and is 25 pages long 
plus a cover sheet It represents the differences in source 
code between release 33 of Tool Command Language and 
a version of Tool Command Language modified from release 
33 to support the embodiment of the invention in the 
modified version of the Andrew Hie System as described 
below. The modifications made to Andrew File System 
release 3 and Tool Command Language release 33 in order 
to produce the embodiment of the present invention in the 
modified version of the Andrew Hie System as described 
below represent unpublished work, Copyright © 1991 
Xerox Corporation. All rights reserved. Copyright protec- 
tion claimed includes all forms and matters of copyrightable 
material and information now allowed by statutory or judi- 
cial law or hereafter granted, including without limitation, 
TOMtrrial generated from the software programs which are 
displayed on the screen such as icons, screen display looks, 
etc 

BACKGROUND OF THE INVENTION 

The present invention relates to computing systems and 
more particularly to client-server systems, including but not 
limited to distributed cHent-servcr systems. 

In a distributed client-server system, a client program 
often requires an intermediary to perform an operation on 
some server. The intermediary must be able to convince the 
server that it is operating on behalf of the client and hence 
mat it should be granted the right to perform the requested 
operation. Furthermore, to limit exposure to untrusted 
intermediaries, the client will want to grant to the interme- 
diary only that subset of its rights that are necessary far 
completing the requested- operation.- — — 

An example of such a situation is the use of a print server 
to print a file that resides on a file server. The initiating user 
would like to grant the print server access to the file to be 
printed so that it can directly retrieve the file from the file 
server. However, the user would like to prevent the print 
server from being able to retrieve any other files. The user 
might also wish to place a time limit on how long the print 
server has access rights to the file. 
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A second example is remote compilation on a compute 
server. The compute server must be given read access to all 
the relevant source files. It should also be permitted to create 
or overwrite the relevant object files while being prevented 

5 from nK>difying source files. Additionally, suppose the com- 
pute server does a recompilation as a set of parallel tasks, 
each running on a separate machine. Then the server win 
want to delegate some of the rights it has acquired to other 
hosts that are performing subtasks. 

10 This example can be further complicated if the files and 
directories involved are owned by someone other than the 
user who is invoking the compilation. The user (eg., as 
member of a group) may have permission to read and write 
various files in a directory, but may lack permission to 

13 modify the access controls of those files or the directory they 
are in. Hence it may not even be possible for the user to 
delegate access rights to a third party. 

A more application-specific example is a self-paced 
course in which students submit their homework assign- 

20 ments by creating a file in a well-known directory. The 
solutions to each homework assignment also reside in files 
in that directory; however, each student should only be given 
access to the solutions after they have handed in their 
answers for that assignment The access control specifica- 

25 tion in mis case is that only students in the class may read 
or write files in the directory, no student in the class may 
read a solution file without having already written a corre- 
sponding homework file and no student may write any given 
homework file more man once. 

30 

Finally, one may wish to limit access to resources that can 
be subdivided, such as electronic funds. This implies being 
able to specify quantitative limits on resources for which 
access rights have been delegated. 

35 Techniques proposed in the prior art for granting/ 
delegating access control have centered around access con- 
trol lists and capability schemes. Access control lists (ACLs) 
are lists of (name, access right) tuples. Such lists may be 
implemented as bit tables, linked lists, or other suitable data 

40 structures. Servers maintain ACLs and use them to decide 
whether or not to grant any given access request Capability 
schemes are based on capability tokens that servers hand out 
to clients. A requestor, such as an intermediary between a 
client and a server, presents a capability token along with an 

4 5 access request to prove that the requestor has the right to 
make the request of the server. 

Both ACL- and capability-based systems provide ways 
for a client to delegate its access rights to an mteimediary, 
but provide only limited f aril fries for restricting the rights 

50 granted to the intermediary. ACL~based systems can deal 
with restricted delegation by allowing the creation of roles, 
which explicitly represent the entity to whom a restricted set 
of access rights is being delegated. Capability-based systems 
enable restricted delegation by either handing out multiple 

55 tokens or by handing out tokens that can be securely 
subsetted to a certain degree. Both of these approaches to 
restricted delegation depend on servers' having an explicit 
understanding of all access controls: Concepts such as 

—restrictions over file types, access time limits, the homework 

£0 example restrictions, or resource quotas must be imple- 
mented at the servers. Servers must know in advance of any 
client requests all the various access rights and restrictions 
that clients may want to delegate. 
With either ACL- or capability-based systems, if a client 

65 wishes to enforce access controls that are not understood by 
the servers) available to him, he has only one option, 
namely, to use or buHd other servers. For example, consider 



01/09/2003, EAST Version: 1.03.0002 



5,649,099 

3 4 

a distributed file system that does cot ordinarily support access control programs (ACPs) that can encode arbitrarily 
access time limits. An example is the Unix distributed file general access rights specifications. According to one aspect 
system known as NFS, which is described, for example, in of the invention, an intermediary making a request of a 
Russell Sandberg, David Goldberg, Steve Kleiman. Dan server on behalf of a client presents an appropriate client- 
Walsh, and Bob Lyon, "Design and Implementation of the 5 created ACP along with the request The server executes the 
Sun Network File System," in Proceedings of the Summer ACP to determine whether or not the requestor— that is, the 
1985 USENDC Conference (Portland, Ore., June 1985) at intermediary-^ias been granted by the client the right to 
119-130. To bulW a print service that understands access given reque^ If and ordy if the requester has been 

iT^? N ^5 CS I C ? irCS i th ?f i SCIV< L^ granted the right to make the given request does the server 

binlt that tx*h ^<^rstands time-lm^based access controb lQ ^ om fec ^ ^£ as ^ of ^ ^ 

and is trusted with access to all NFS files mat any clients ^ . _ . | ^ * ,. . « 

might wish to print Similarly, to implement the homework ° r ™> K ,nt °™ cd,ancs *** betw, * n * c t ^L and 

~« «f r~i~- *r+ i u Each intermediary creates its own additional ACP in order to 

example on top at prior art rue servers (or any file servers ' . . . 

whose access controls lack the concepts necessary to express delegate someor all the righto it has to d^extinterniediary 

the homework constraints) requires that someone build a in tbc cham - scrvcr checks all the ACPs before carrying 

"homework server." Furthermore, students' ability to hand 15 out a request issued by the last intermediary in the chain, 

their homework in and receive solution sets back depends on An important advantage of the method of the present 

the availability of this homework server. invention is that a wide range of applications and access 

To better understand the limitations of the prior art, it is control schemes can be built on top of any server that 

helpful to consider an analogy. Suppose that a movie theater Luplements an ACP interpreter and a relatively small num- 

shows ten different movies. Some are suitable for viewers of 20 \ iCX of access control concepts. Another advantage is that the 

all ages, while others are suitable only for adults. Like most method finds applicability in distributed and nondistzibuted 

movie theaters, this theater sells tickets separately for each systems. Still another advantage is that ACPs can be digi- 

indi victual movie. A patron who holds a ticket far, say, signed to prevent their forgery, thus allowing them to 

WSnd '" * * crcby entitled to seeJW With ^ ^ paS sed around or even published. A further under- 

the Wind but is not entitled to see^T or Worgiven 25 of ^ Mtnic ^ mc ta. 

or any other movie playing at the theater. tion may be realized by reference to the rerr^aing portions 

Now suppose that a parent wishes to send her child, who of ^ specification and the drawings, 
is thirteen years old and not to be trusted, to see a movie 

unaccompanied. The parent wants the child to see only BRIEF DESCRIPTION OF THE DRAWINGS 

"Grated" movies, that is, movies deemed suitable for view- ^ 

ers of all ages, and no other movies. She is concerned that FIG. 1A schematically depicts a client-server system 

if she simply gives the child money to purchase a ticket left suitable to the method of the present invention; 

to his own devices the child (possibly with the assistance of mG ^ s^eirtftically depicts a client request and an 

an adult or ol to teena^ poang as his guardian") will intenm rfiary request that is also a service request; 

purchase a ticket to an K-rated movie intended for more ^ ^ 

mature viewers. Thus the parent runs the risk that if she tells 35 FIG - 1C schematically depicts a client request, a first 

her child to go see "Bambi," the child will sneak in to see intermediary request, and additional mtermediary requests, 

"Basic Instinct" What the parent really wants Is to be able me ^ of which is also a service request; 

to purchase in advance, and give to her child, a movie ticket FIG. ID schematically depicts an example of multiple 

redeemable far access to any G-rated movie and for no other contemporaneous requests; 

moWes.Unfortunately the movie theater does not sell such na 2A schematically depicts an authenticated remote 

tickets. Short of persuading me movie theater to change its ^ ^ with D0 delegation of rights, as in the prior 

ticket-selling policies, the parent is stuck with either having 0 

to accompany her child to the theater or else running the risk ^ , 

that the child wfll disobey her. HG 26 schematically depicts a remote procedure call 

It can be seen that the parent is analogous to a client 45 delegation of rights via an access control program; 

program, the child to an intermediary, the movie theater to ^ 2C is a flowchart illustrating the steps of a remote 

a server, and the movie ticket to a capabilities token in a procedure call with delegation via an access control pro- 
capability-based system. The parent-client is stuck with the 

kind of tickets that the theater-server sells, and cannot order FIG. 2D is a flowchart illustrating the steps for revoking 

a custom-made ticket mat would allow her to grant some so access privileges using revocation objects with an example 

independence to her mtennediary-cfaild while simulta- ACP; 

neously maintaining a certain measure of control over the fig. 2E schematically depicts an example that illustrates 

intermediary-child ' s behavior. The system provides no the use of revocation objects in a situation wherein a single 

straightforward way for a client to design a restricted set of client request generates two intermediary requests; 

access privileges, e.g,, at run time, and delegate these to a 55 mQ 2F is a flowchart illustrating the sequence' of steps 

potentially untrustworthy iiitermediary. followed in the example of FIG. 2E; 

What is needed as an alternative to embedding an ever- HG 3A schemadcally ^picts a remote procedure call 

increasing multitude of access control concepts into each ^th chained delegation; 

server or building an ever-increasing set of application- . a 1 > •„ . , r 

specific 'tront-encT servers is to provMe clients ind servers «> ™L ™ « ; • mu^hng the steps of a remote 

wiJha language with which they can dynamically build P"**^ ^ wth delegation; 

generalized capabilities and define application-specific FIG. 4A is a flowchart illustrating the steps of the authen- 

access rights at me time those rights are to be delegated. tication Protocol in the Andrew File System of the prior art; 

SUMMARY OF THE INVENTION . ^ ^ a flowchart illustrating the steps of the authen- 

5UMMAKY Or THE INVENTION 65 ^ a vcrsion mc Andrew pile System 

The present invention provides a method for delegation in modified according to a specific embodiment of the present 

client-server systems that is based on client-manufactured invention; and 
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FIG. 4C schematically depicts an access control program 
passed in an authentication ticket via a remote invocation 
facility. 

DESCRIPTION OF SPECIFIC EMBODIMENTS 5 

The disclosures in this application of all articles and 
references, including patent documents, are incorporated 
herein by reference. Also incorporated by reference are 
sections 1C, 2V, and 3V of the SUN Solaris 1.1 User 
Manual, respectively for their descriptions of the Unix 10 
command rsh, the Unix command star, and the Unix setuid 
facility. 

1. Introduction 

13 

1.1 Overview and Design Considerations 

To get an overview of ACPs, it is helpful to begin with 
some illustrative analogies. Returning for a moment to the 
movie theater analogy given earlier, recall that the parent ^ 
wants to be able to give her child access to any G-rated 
movie but to no other movies. The parent would like to be 
able to purchase an advance ticket redeemable for G-rated 
movies. Better still, the parent would like to avoid the 
trouble of advance purchase. She would like to be able to ^ 
write a check for the price of admission to the theater, say 
$7, with special instructions on the check as follows: "Sell 
my Child a ticket to a G-rated movie only ; pay to Theater $7 
for this purpose. Signed, Parent" The theater would accept 
mis check in lieu of cash and give the child access to any ^ 
G-rated film. Of course, the theater would first ask the child 
for identification, to be sure that the child was indeed the 
Chfld mentioned on the check. Also the theater would check 
Parent's signature to ensure that the check was not forged. 

Translating this example to the client-server domain, the 35 
signed check with special instructions is analogous to an 
ACT of the present invention. The parent-client writes a 
"check" — an ACP — that grants the crnTdnnteniiediary only 
those access rights that the parent-client specifically del- 
egates. The child-intermediary presents the check to the 40 
theater-server, who confirms the child-intermediary's 
identity, verifies the parent-client's digital signature on the 
ACP, and then executes the ACP to determine whether to 
grant the chfld-intermediary access to a particular movie- 
resource. 45 

In another analogy, consider a person who signs a power- 
of-attorney document The power-of -attorney document del- 
egates to an attorney certain rights to do on the person's 
behalf what the person could do for himself, for example, to 
draw funds from the person 1 s bank account Importantly, the 50 
person can delegate to the attorney only such rights as he 
actually has; he cannot, for example, give the attorney the 
right to draw funds from somebody else's bank account The 
person signs the power-of-attorney document to prove that 
the document is genuine. When the attorney presents the 55 
document to a third party, such as a bank, the attorney also 
presents her own identification to show that the attorney is 
who she purports to be. It can be seen mat the person is 
analogous to a client the attorney to an intermediary, the 
bank to a server, the client's bank account to a resource 60 
controlled by the server, and the power-of-attorney docu- 
ment to an ACP. Before allowing the attorney-mtermediary 
to draw funds, the bank-server confirms the attorney- 
intermediary's identity and authenticates the ACP by veri- 
fying the person-client's digital signature attached to the 65 
ACP. Thereafter the bank-server reads the power-of-attorney 
document-that is, executes the ACP. If all is in order, the 
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bank-server then allows the attorney-mtermediary to draw 
funds from the person-client's account-resource 00 the 
person-client's behalf. 

Several considerations arise in the design of an architec- 
ture incorporating access control programs. These include: 
how ACPs are transmitted between the interested pardes- 
that is, between the client server, and intermediaries; how 
ACPs are used by the servers that receive them; how 
powerful the language that is used to write ACPs should be; 
how ACPs arc revoked once issued; and how ACPs can be 
used to restrict the rights delegated by other ACPs. The 
following sections of the description address these consid- 
erations and also describe a specific crnbodiment of the 
invention that integrates ACPs into a particular file system 
called the Andrew File System, 

12 Glossary 

The following terms are intended to have the following 
general meanings: 

AFS: "Andrew File System": a particular distributed file 
system. 

Access Right: The right to obtain access to or use some 
resource. Examples: the right to obtain read access for a 
particular file; the right to execute a particular program. 
Synonyms: **right**; "privilege.'* 

Access Control List: A list of access rights for a particular 
resource. 

Access Control Program: A programmatic specification of 
access rights. 

Authentication: The act of checking that something or 
someone is what they claim they are. 

Authentication Server A trusted program or machine that 
can authenticate various things and/or that can issue 
encrypted data items that others can use for authentication 
purposes. 

Authentication Ticket: The encrypted data items that an 
authentication server provides to its clients for authentica- 
tion purposes. 

Capability: A token of some sort that can be used as proof 
of same access right 

Check (name, resource, request): A function used by a 
server in some embodiments of the present invention. This 
function checks whether the user or process whose name is 
"name" has access rights to 'resource'* that allow "request" 
to be performed on **resource w . 

Client: A program mat desires access to some resource or 
operation controlled by a server. 

Client Request A request for access to some resource or 
operation that is controlled by a server. 

Client-Server System: Any system in which resources are 
managed/controlled by server programs/processes and 
requests for access to and use of those resources are made by 
client programs/processes. 

Communications Channel: A means by which two parties 
can reliably communicate with each other. 

Create (resourceName, revocationName): A function that 
a client can request of a server that will create a revocation 
object with name ''revocationName'' for the server's 
resource named by "resourceName**. 

Destroy (revocationName): A function that a client can 
request of a server that will destroy an existing revocation 
object whose name is *TevocationNamc". Only the client 
who created a revocation object may destroy it 

Digital Signature: A property private to a user or process 
that is used for signing sequences of data items. A digital 
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signature for a sequence of data items is a unique data value execution, and possibly one or more input/output streams, 

that is a function of the pivate property and the sequence of Each node is a computer comprising memory and one or 

data items to be signed. more processors. Typically, but not always, processes are 

Initiator: The original client of a request; the one who has associated one-to-one with nodes, so that each process 

access rights allowing the request without need for delega- 5 executes on its own node. Threads need not be associated 

tion of access rights from some other party. one-to-one with processors. 

Intermediary: Someone making a request on behalf of ^ ^ assumed that each process is protected from every 

some other client. An intermediary must receive delegated omer process. Thus where all the processes-client, server, 

access rights in order to successfully mate a request to a 411(1 intermediaries-execute on a single node, each process 

se p /cc 10 has its own protected address space in the node's memory. 

t * _j * . r> „ nmt +. r~, . . . mn Where different processes execute on different nodes, each 

Intermediary Request: The request made by an interme- , . f . ..... t . ^ 

. . ip «*u— . node is assumed to have its own individual memory that 

diary on ben all or some other client . . . , , . , ' 

, cannot freely be accessed by other nodes. 

Kerberos protocol: A particular authentication protocoL _ ^ _ . 

*^ . r The processes communicate with one another through 

Key: As in encryption key. is ^,^^^005 network 20. Communications network 20 

NFS: "Network File System" — a particular distributed comprises channels 25 through which the various processes 

file system. can conununiratr. with one another. Where all the processes 

Privilege: See "access right." execute on a single node, the cornrm mirations network is a 

Revocation Object: An object controlled by a server that set of interprocess co mmunicatio n links mat also execute on 

can be destroyed at the request of a client in order to mc node. Where different processes execute on different 

invalidate all or part of an access control program that that nodes, the communications network comprises hardware 

client has created. links and software protocols through which the nodes can 

Right See "access rteht" communicate with one another. The communications net- 

80 .„ , . , - work can, for example, be a local area network or a wide 

Role: An artificial user identity that has been created in 25 m network and can. for example, incorporate wire, coaxial 

order to specify a specific set of access nghU; for example, ^ fiber ^ OT ^ ban^ 1^ The conimu- 

those pertaining to some particular job or administrative DetWQlk ^ ^ oyidt for ^ encryption in some 

foQCtlon - ernbodiments. 

rsh: A Unix amrmand that executes a program on another Savcr 10 can be any process that controls a resource 

machine from the one that "rsh is invoked on. 30 shared by multiple processes. Without limitation server 10 

Secure Channel: A communications channel whose con- can be, for example, a storage server, such as a file server or 

tents cannot be monitored by third parties. database server; an input/output server, such as a print 

Server A program that controls resources that various server; a compute server or remote execution server, such as 

clients of a system may wish to use or gain access to. 35 a supercomputer or mainframe that is shared by rnnltiple 

Service Request A request to a server for access to or use nsezs; or a process control server, such as a robot or 

of some resource. romputer^ntrolled manufacturing machine. Where the 

stat: A Unix system call that returns information about a ««* * a stora 8 c ™ 03X1 for 

particular file, including its last modification time and who encryption * some embodiments, 

may access it in what fashion. 40 Resource 11 can be anything upon which server 10 can 

Template: A prototype for an access control program, Perform operations on behalf of other processes. Thus, for 

conta^variois fiddTthat must be filled in with specific ""P** t*™*™* «v«; source 11 can be a file 

values in order to mstantiate a specific access control or a set or system of files; !f server 10 is a print server, 

crocram. resource 11 can be a printer or a print queue; if server 10 is 

program. . a compute server, resource 11 can be a compiler, graphics 

Thread of Coinpntation: A specific sequence of computer package? numcrical simulation code, or any other program 

mstruchons actually executed by a computer ^ A computer ^ me M ^ ^ tf server 10 * a remote 

can interleave the execution of multiple threads of compu- h anHnp computer, resource U can be a bank account; and 

tation by running multiple programs "simultaneously". ^ m0(ha way> resource u to 

9 Th vi tKftH 50 something that a client or mterrnediary can use, access, or do 

z. me Memoa through server 10. It will further be appreciated that resource 

2.1 System configuration 11 can be one of a plurality of resources (not shown) 

' 0 controlled by server 10. 

FIG. 1A illustrates a system configuration suitable to the The bulk of the description given herein speaks as though 

method of the present invention. System 1 comprises client 55 system 1 comprises a single client, a single server, and one 

5, server 10, and one or more mtermediaries 15, all con- 0 r more intermediaries, as depicted in FIG. 1A. Accordingly, 

nected to one another via communications network 20 that the term "client" is most often used herein to indicate the 

comprises a plurality of chan nel s 25. System 1 can in some process that issues an initial request, "server** to indicate the 

embodiments further comprise additional servers, clients, ultimate process that responds to the request, and 1 'interme- 

and intermediaries (not shown). Server 10 manages a $0 diary" to indicate a process situated between the client and 

resource U to which client 5 has access rights. Client 5 the server. However, as noted above, system 1 can in some 

wants to delegate some or all of these rights to one or more embodiments comprise multiple servers and clients, e ach 

of the intermediaries 15. communicating with the remainder of system 1 through 

Client 5, server 10, and utermediaries 15 are processes communications network 20. Moreover, it will be appreci- 

that execute on one or more computing nodes (not shown). 65 ated that the terms "server,* "client,** and 'frtennediary*' are 

Each process is a software entity that comprises an address in some sense relative terms, in that the same process can be 

space (or protection domain), one or more threads of viewed as a client with respect to one process, a server with 
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respect to another, and an intermediary with respect to a the client and all preceding intermediaries in the chain), the 

third For example, in a case in which a client issues a term "request*' is used to refer variously to the client's 

request to a server through a chain of several mtermediaries. request to the first intermediary in the chain, the first 

each intermediary other than the last one in the chain intermediary's request to the second intermediary in the 

effectively stands in a client relationship to the server, and 5 chain, and so on down the chain through the last intenne- 

cach intermediary other than the first one in the chain diary's request to the server, as well as to the overall request 

effectively stands in a server relationship to the client. As from the client to the server. 

another example, consider once again the case in which a k the case of the single intermediary, the term **cHent 

client, for instance a workstation, uses a print server to print request** can be used more precisely to indicate the client's 

a file that resides on a file server. In this example, the print 10 request to the intermediary, the term 'Intermediary request** 

server is an intermediary with respect to the client 10 indicate the intermediary's request to the server, and the 

workstation, and the file server is the server. Now suppose 10131 "service request*" to in dicate the request received by the 

that a later time the same client workstation wants to use the server, which In this case is the same as the intermediary 

print server to print a different file that is stored locally by request This is illustrated in FIG. IB. Client 50 issues 

the print server, using certain header information to be L5 request 51, which is a client request, to intermediary 55. In 

supplied by a second workstation. Now the second work- complying with client request 51, iiitermediary 55 issues its 

station becomes the intermediary, and the print server is the own request 56 to server 60. Request 56 is an intennediary 

ultimate server with respect to the client workstation. request because it is issued by an intermediary. It is also a 

In some enirxxhments, as is described more fully below, scrvicc ^ ucst h is ****** a 5CTVcr ' 

the invention contemplates the authentication of ACPs by 20 In the case of multiple mtermedianes, the term "client 

means of digital signatures that can be verified by server 10. request" can be used more precisely to indicate the client's 

In other embodiments, to support A CP authentication system request to the first inte rm edia r y, the term 'Intermediary 

1 farther conmrises an authentication server 30 that com- request" to indicate any intermediary's revest to another 

municates with the rest of system 1 through communications intermediary or to the server, the term "first intermediary 

network 20 via one ex more secure channels 35. This is 23 request** to indicate the first intermediary's request to the 

shown in FIG. 1A. Stfll other Mnd« of ACP authentication second intermediary, the term "additional intermediary 

can be used within the scope of the invention. request" to indicate the second or a higher-numbered inter- 

. . „ » A « case of three mtermedianes. Client 70 issues request 71, 

each intermediary 15. Authentication server 30 and its ... . » „ ^ , - . . . A1 -^t 

. , ..i... , which is a client request, to first intennediary 75. In cam- 
associated secure channels 35 can be included in system 1 . -1 i- / J; LZ , "T 

for the purpose of two-party authentication, whether or not ^ ^J%? ^ J\> ^J**™^ 55 lts 

aumenticadon server 30 is also used to support ACP authen- ?™ 76 to ^ ^T^Jt*^^ 111 

ticatioo. Various other kinds of two-part/aulentication can 35 because it is issued by an intenr^dxary, 

also be used within the scope of meinvention. and more r^ticulariy is a ^tmtcnncdi^ i^cst^nsc 

it is issued by the first mtermediary. Second intennediary 80, 

In some embodiments, as is described more fully below, ^ ^ hsaes ^ ^ 81 to third intermediary 85. 

the invention contemplates revocation objects associated Request 81 is an intermediary request, and more particularly 

with ACPs. In sucb embodiments, to support revocation ^ is ^ additional mtermediary request because it is issued by 

objects server 10 has associated with it stable storage 12 that ^ intennediary other ^ me RiiaUy, the third and last 

is accessible to server 10. 4 *S table" data storage is data intermediary 85 issues request 86 to server 90. Request 86 

storage wherein the stored data will survive a server failure, is ^ Pinnate and final request in the chain. It is an 

for example an unexpected loss of power to the server. Such intermediary request, and more particularly is an additional 

storage is typically m the form of a disk file or nonvolatile 4$ intermediary request It is also a service request because it 

medium. In embodiments where server 10 is a file server and is received bv me server 

the server's assoc^ resc^irce 11 is file storage stable fi shoM ^ noted ^ at My ^ ^ ^ ^rttoBry 

storage 12 can be part of, or the same as ? resource 11. This nllmbcr & requests Dy me or by any interme- 

is the situation tan. in FIG 1 A. homer emrxxliments ^ M example is shown in FIG. ID. Client 100, a user 

stable storage 12 can be separate and distinct from resource ^ workstatic)0 , ^ ^ c Ue nt requests 101, 102, and 103. 

Request 101 is a request to intermediary 105, a print server, 

23. Requests t0 a file 111 that is stored on file server 110. In response 

to request 101 intermediary 105 issues service request 106 

The present invention contemplates the use of ACPs in to server 110. Request 102 is a request to intennediary 115, 

requests that involve a client, a server, and one or more 55 a compote server, to compile a source code file 112a on file 

mtermediaries interposed between the client and server. It server 110 with the resulting object code to be saved in file 

will be observed that the term "request" can be used in 112b on file server 110. In response to request 102 intermc- 
different-jyays.-For ex ample,-in-the-case-of-a client that — diary 115 issues a service request 116a to server 110, asking 

makes a request to a server via a single intermediary (or, put to read the source code file 112a. Later, after compilation is 

differently, the case of a single intermediary that makes a 60 complete, intennediary 115 issues another service request 

request on behalf of a client), the term "request" is used 116b to server 110, asking to write the object code file 112b. 

variously to refer to the client's request to the mtermediary, Request 103 is a request to mtermediary 120, a network 

the intermediary's request to the server, and to the overall server, to access a database 131 located on server 130, a 

request from the client to the server. In the case of a client database server at a location remote from client 100. In 

that makes a request to a server via a chain of mtermediaries 65 response to request 103, mtermediary 120 issues a first 

(or, put differently, the case of a last-m^he-chain interme- mtermediary request 121 to mtermediary 125, a network 

diary that makes an ultimate request of a server on behalf of server at the remote location, mtermediary 125 then issues 
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an additional intermediary request 126, which is the service Before honoring the request, server S proceeds as follows: 

request, to server 130 on behalf of client 160 and interme- 1. In step 260 S verifies the identity of I, , the principal 

diary 125. making the request 

In what follows, requests are sometimes referred to as 2. In step 262 S determines whether Jq has permission to 

remote procedure calls (RPCs). This is because requests take 5 make mis request Iq cannot delegate rights it does not 

the form of RPCs in certain embodiments of the invention, have. This step can be carried out, for example, as a call 

notably in the embodiment of the invention in a modified to Check (Iq, op, object, . . . ). 

version of the Andrew Hie System as described below. It is 3. m sle p 264 S verifies that P is correctly digitally signed 

to be understood mat referring to requests as remote proce- by 1^ 

dure calls or RPCs is merely a convenient shorthand that 10 4 m stcp 266 S determines whether ^ approves of the 

implies no loss of generality. Other kinds i of request besides by executing P ft op, object, . . . ). 

RPCs are very much within the scope of the invention. hereafter, in step 268 slteterrines whriber steps 260, 262, 

23 Delegation via ACPs 264, and 266 all have succeeded. If so, then execution 

The present invention contemplates the use of ACPs in proceeds at step 270, in which S executes the request 

requests such as remote procedure calls that involve a client, 15 Otherwise execution proceeds at step 275, in which access 

a server, and one or more intermediaries interposed between is denied and S refuses to execute the request 

the client and server. For ease of exposition, however, the Steps 260 and 262 are the same as in the case of a 

case of an authenticated remote procedure call mat does not no-intermediary RPC such as that depicted in FIG. 1A with 

involve any intermediaries or delegation of rights will one important difference: The access check in step 262 is 

briefly be considered first This case, which is known in the 20 based on the initiator Iq rather than the caller Ij. Step 264 

prior art, is shown in FIG. 2A. Client Iq makes an RPC to a ensures that the intermediary has not tried to acquire addi- 

scrver S, the call being of the form "op (object ...)**. When tional rights by manufacturing a forged ACP or by tampering 

the server S receives the call, it must determine whether or with an existing ACP. Step 266 checks that this particular 

not to execute the request The server S proceeds in two request meets the restrictions imposed by ^ on ^ as speci- 

25 fiedinP. 

1. First, S verifies the identity of the caller This it does The four checks of steps 260, 262, 264, and 266 are the 
using authentication protocols such as, for example, only ones required of the server. In particular, the server does 
those described by R. M. Needham and M. D. not enforce bounds on an ACP's lifetime or on who is 
Schroeder in their article "Using Encryption for permitted to use the ACP. Because ACPs are programs, they 
Authentication in Large Networks of Computers," 30 can check these things themselves. If an ACP is to remain 
Communications of the ACM 21(12) 993-999, Dec valid for only a limited period of time, then it can always 
1978. return "access denied" if the current time is greater than 

2. Second, S verifies that Iq has permission to perform this some built-in expiration date. If an initiator wishes to 
request For example, S calls a function Check (Iq, op, delegate only to certain intermediaries, men its ACP can 
object,. . .) which returns true or false. This check may 35 check that the caller is one of the valid ddegatecs. By 
look up Iq on access lists, check permission bits, or use putting power into the ACP, the delegation mechanisms are 
same other means of checking authorizations. simplified. 

'With the case of the simple RPC thus understood, the The purpose of having !<> digitally sign the ACP is 

more complex operations mat are me subject of the present twofold. First the digital signature proves to the server that 

invention will now be considered. These operations Involve 40 the ACP being given to the server is the same ACP that was 

delegation of access rights to interrrrdiaries. With reference created and sent by the initiator Iq. Second, the digital 

to FIG. 2B, suppose 1$ requests some other process I t to signature proves that the initiator Iq, and not an impostor, 

peifumi an operation on its behalf. In this case, Iq is termed actually created the ACP. This twofold purpose can also be 

an initiator and I x an mtermediary. According to the method accomplished in ways other than through the use of digital 

of the present invention, Iq creates an access control program 45 signatures. Far example, in an embodiment to be described 

P that specifies the set of rights that it wishes to delegate to below in which the invention is incorporated in a modified 

I v The access control program is a procedure that takes as version of the Andrew File System, an authentication server 

parameters a caller, the operation being performed, and the is used. As another example, in some systems in which a 

arguments to this operation, and that returns an indication client an intermediary, and a server execute on a single 

(e.g., true or false) of whether or not the operation is 50 node, the node's operating system provides adequate secu- 

allowed. After creating P, in a preferred ernJbodiment lo rity to ensure that the client's ACP is genuine, and no 

digitally signs it with its digital signature, thereby producing authentication as such is required. These two examples by 

<P> / 0, which Io includes in its request to Ij. (Digital no means exhaust the possibilities, 

signatures are known in the art and are described, for Deciding what operations to allow and disallow in an ACP 

example, in D. E Denning, Cryptography and Data 55 requires that the initiator know enough about the implemen- 

Security Reading, Mass.: Addison-Wesley Publishing Co., tation of the intermediary to give out the a pp ropriate access 

1982.) The meaning of <P>'0 is % authorizes anyone to rights. Note that this is inherent to the tasks of restricted 

make requests on its behalf, as long as P approves each such access delegation and is not specific to ACPs. As an 

request" I A men makes a request to S and transmits <P> / 0 example, consider once again the delegation chain Hlus- 

along with the request 60 trated in FIG. 2C The operation that Iq requests of I, need 

The flowchart of FIG. 2C further illustrates the preceding not be the same operation that l x requests of S. Often, I A will 

steps, as well as the steps executed thereafter by the server need to perform a series of lower-level operations on Sin the 

S. In step 25* !<, creates the ACP. In step 252 Iq digitally process of servicing V s request For example, ^ may 

signs the ACP to orodnce <P> / 0. In step 254 ^ issues its instruct I a to print a file which resides on S.Ij may have to 

request to 1^ <P> 0 is included in this request In step 256 65 make a series of calls to S in order to resolve the file's 

Ij makes a request to S and transmits <P> 7 0 along with die pathname, open the file, read it, and finally close it When Iq 

request writes program P, it must be aware of the operations that Ij 
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will need to make to S since P must be certain to grant these, agement For the most part, a change to server state is 

and ideally only these operations. A later section of mis preferably made by explicit request rather than as a side 

description tells how Iq can avoid having to know I/s effect of an access check. One notable exception to mis role 

implementation in some embodiments of the present inven- is described in the next section, 
tion. 

2.4 Ptograinming language considerations 



2.5 Revocation 



The creator of a ACP may want the ability to unilaterally 
Many languages can be used for writing ACPs, ranging and instantly revoke the rights granted by an ACP. The 
from full -featured programming languages to non- following is one technique for ACP revocation. The initiator 
procedural languages that simply list patterns to match 10 writes the ACP so that the ACP checks for the existence of 
against the arguments. Any Turing-complete language will a revocation object, such as a file, each time it is run. If the 
suffice, and other languages can also be suitable. Languages revocation object does not exist, the request is denied At the 
containing control constructs (eg., conditional branching) time the initiator creates the ACP, it also <*^gnat*>« me 
are an interesting class because they enable multiple pos- revocation object When the initiator wishes to revoke the 
sible paths of execution through an ACP. 15 delegated rights it simply eliminates the revocation object 

Of the Turing-complete languages, simple interpreted All subsequent requests from the intermediary win be 
languages such as Lisp or Tel (tool command language) are denied by the ACP. This revocation scheme requires no 
good can d idates for writing ACPs. These languages have . cooperation from the intermediary, ft also requires no 
successfully been used as extension languages to augment involvement by the server, except that the server must allow 
the base functionality of various programs. Because ACPs 20 an ACP to inquire about its associated revocation object, and 
serve a similar purpose, namely, that of extending the core in some embodiments, that the server must create and 
set of access control concepts that a server provides, they are destroy revocation objects at the initiator's request 
likely to benefit from the same advantages these languages An important question is where to store revocation 
have exhibited in other settings. An example of using Lisp objects. If an ACP restricts access to one or more objects that 
as an extension language is described in R. Stallman, GNU * reside on a single server, then that server-or, more precisely, 
Emacs Manual (free Software Foundation, Oct 1986); an its associated stable storage-is the ideal storage site for the 
example of using Tel as an extension language is described ACP's revocation object The check far the existence af the 
in J. K. Ousterhout, **Tcl: An embeddable command revocation object can be done locally by the server in this 
language," Proceedings of the USENIX Association 1990 ^ case. Things become more complex if an ACP can be used 
Winter Conference (1990). on multiple servers. In this case, either the ACP must be able 

Where a general-purpose language is used for ACPs, a to read a revocation object stored on a remote server, or else 
concern arises with the safety of the server. A malicious or the revocation object must be replicated across the servers, 
faulty ACP should be prevented from corrupting the server Another important question concerns how revocation 
or using excessive resources. The server needs to be pro- 35 objects are designated. A straightforward scheme is to have 
tected from program faults, such as NIL pointer differences me $crvcr create revocation objects for each client upon the 
and division by zero, and needs to enforce limits on CPU and s rcqucS L The client can request creation of revocation 

storage use. One way to achieve this is to use a carefully ^jeds at any time; however, to avoid the overhead of 
coded interpreter for the ACT language. When the interpreter rcpe atedly having to request revocation objects, the client 
detects one of these conditions it aborts execution of the ^ typically requests that a plurality of revocation objects be 
ACP. If an ACP is aborted, then it is assumed to have created ahead of time, for example when the client is 
returned false, and the request is denied. Because ACPs are initialized or reinitialized. These objects are then available to 
expected to be relatively short, strict limits can be placed on me for later use. The client maintains a record of its 
them without severely Umidng their usefulness. revocation objects: which ones are in use in connection with 

ACPs depend on access to request parameters and server 45 particular ACPs, which ones are free and available for use 
state information to implement their checks. A core set of with other ACPs, and which ones have been destroyed and 
information that servers should provide in any ACP imple- are thus no longer available. When the client wants to create 
mentation includes the requested action and its arguments, a revocable ACP, the client designates one or more of its free 
the authenticated identity of the requestor, and the current revocation objects by associating these objects with particu- 
time. Access to the requestor's identity allows checks that ^ lar rights mat are to be delegated in the ACP. The client 
restrict who may make the request and knowing the current includes code in the ACP such that the delegation of a 
time enables expiration checks. Provision of the current time particular right or rights in the ACP depends on the conmv 
implies the need for globally synchronized clocks. In prac- ued existence of the designated revocation object or objects, 
ticc this is not a problem since most modern distributed The client also updates its record of revocation objects to 
systems already employ some form of clock synchroniza- 33 reflect the designation. 

uon - Still another important question concerns how revocation 

Some clients may wish to specify access controls based objects are eliminated. Typically, the client eliminates a 
on additional iirformation, such as the existence of flies. revocation object in order to revoke the access right that is 
Letting ACPs examine any stale in the server could violate associated with the revocation object and has previously 
security because an ACP can transmit information to an been delegated in an ACP. The client can also eliminate a 
intermediary via the success or failure of the intermediary^ revocation object for other reasons, for example, if the client 
server requests. A better model is to allow an ACP to decides that the ACP is no longer needed. Continuing the 
examine any state which the ACP author could have exam- preceding straightforward scheme, to ^Kminflte a revocation 
ined through the normal server interface. object the client simply requests the server to destroy the 

In some embodiments of the invention ACPs can also be 65 object. In response, the server authenticates the client's 
allowed to make changes to server state. Such a feature identity to ensure that the client is not trying to destroy 
iDtrodnces a variety of problems concerning resource man- someone else's revocation objects. Upon successful authen- 
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ticatioD the server complies with the client's request and L This request is also accompanied by the ACP. The second 

destroys the revocation object The client deletes the elimi- request is a delayed request, which the intermediary will not 

nated object from its record of revocation objects. process until a specified delay time elapses. 

By allowing clients to create revocation objects ahead of Next in step 286 the intermediary I, acting on the client's 

time, the foregoing scheme for delegating and eliminating 5 first request, makes a request to the server S for access to 

revocation objects minimizes communication between client FTTFONE. This service request is accompanied by the ACP. 

and server. It also preserves an important advantage of the In step 288 server S executes the ACP. In so doing, the server 

present invention, namely that the client can specify at run tests for the existence of the revocation object Rl before 

time which intermediaries are to have which access privi- granting access to FILEONE. If the revocation object exists, 

leges and can do so without the need for further interaction 10 the request is performed; otherwise it is denied. At this stage 

with the server. The exact implementation of the scheme of the example, both revocation objects Rl and R2 exist, so 

depends on the particular system in which the method of the the request for access to FILEONE is performed in step 29%. 

invention is embodied. Thereafter in step 291 the client riiminntfw the revocation 

Other schemes to create, designate, eliminate, and destroy object R2, which corresponds to the access rights for 

revocation objects are within the scope of the invention. For 13 FELETWO. In step 292 the delay time for the client's second 

example, if a server can support only a limited number of request elapses. In step 293, the intermediary L acting on the 

revocation objects, an allocation policy can be established to client's second request after the elapse of the delay, makes 

determine how many revocation objects any given client can a request to the server S for access to FTLETWO. This 

have with respect to the server. Any of a number of such service request is accompanied by the ACP. In step 294 

allocation policies, including pieallocation of all revocation 20 server S executes the ACP. In so doing, the server tests for 

objects among clients, is possible. No matter what scheme is the existence of the revocation object R2 before granting 

used, it is important that revocation objects be stored in access to FTLETWO. At this stage of the example, R2 no 

stable storage, so that they are not inadvertently destroyed, longer exists, so that the ACP returns false and the request 

for example through server failures. for access to FUJETWO is denied in step 296. 

There can be as many revocation objects per ACP as is An additional example, shown in HGS. 2E and 2F, 

necessary to carry out the purposes of the ACP. In particular, illustrates the use of revocation objects in a situation in 

a single ACP can be associated with multiple revocation which a single dienl request generates two intermediary 

objects in order to provide for independent revocation of requests. In FIG. 2E, client 300 is a user command process 

individual access rights with respect to the same request For 30 executing, for example, on a workstation. Client 306 sends 

example, suppose client C creates an ACP that gives tern- request 303 to compute server 3t5, asking compute server 

porary read access to a first file called FILEONE and 305 to compile source code file 311 which is stored on file 

temporary write access to a second file called FTLETWO, server 310. Request 303 has an access control program that 

both of which are stored on file server S. If mere are two delegates to compute server 305 the rights to read source 

revocation objects, one for the access rights to FILEONE 35 code file 311 and to write object code file 312, a version of 

and one far the access rights to FTLETWO, the client can which is already stored on file server 312 at the be ginning of 

then, for example, revoke an mtenrjediary's permission to this example. These access rights depend respectively on the 

access FTLETWO while still permitting access to FILEONR continued existence of designated revocation objects 301 

It does so by eliminating FILETWO's associated revocation and 302. In response to client request 303, compute server 

object ^ 305 will make two service requests to file server 310. The 

FIG. 2D shows the steps involved in revoking access first win be a request 306 to read source code file 311 prior 

privileges using revocation objects for another example t0 compilation. The second will be a request 307 to write 

involving FILEONE and FTLETWO in one enibodiment of object code file 312 after compilation is completed, 

the invention. In this example the client makes two requests Next consider what happens if during compilation the 

of the server via the intermediary. The first request concerns 45 user decides mat the compilation request was a migti frr, and 

FILEONE and is to be executed immediately while (he that compute server 305 must not be allowed to replace the 

second request concerns FILETWO and is to be delayed by existing version of the object code file 312 with a newly 

the mtermediary. The client revokes the access privileges to compiled version. The user* s command process 300 elimi- 

FTJLETWO before the end of the delay period, so that the nates the revocation object 307 by requesting in request 315 

second request is partly denied by the server. It is to be 50 that file server 310 destroy revocation object 302. 

understood that this illustrative example concerns only one Thereafter, when compute server requests in request 307 to 

of the many situations in which revocation objects can be write object code file 312, the ACP returns false and request 

used. 307 is denied. 

The steps of this example proceed as follows: It is FIG. 2F flowcharts these steps in greater detail. In step 

assumed that a number of revocation objects, including Rl 55 318 the client designates revocation object RL which cor- 

and R2, have been created ahead of time by client C at server responds to revocation object 301 in FIG. 2E, as being 

S. In ste p 280 client C designates revocation objects Rl and associat ed with the. right to read source code file 



R2 that will correspond respectively, to delegated access MYPROGRAM.C, which corresponds to source code file 

rights for FILEONE and FILETWO. In step 282, the client 311 in FIG. 2E. Similarly, in step 320 the client designates 

creates the ACP. The ACP grants access rights to FILEONE 60 revocation object R2, which corresponds to revocation 

only for so long as the revocation object Rl continues to object 302 in FIG. 2E. as being associated with the right to 

exist and to FILETWO only for so long as the revocation write object code file MYFROGRAM.O, which corresponds 

object R2 continues to exist In step 284 the client issues a to object code file 312 in FIG. 2B. In step 321 the client 

first request to the server via an intermediary L This request creates the ACP to delegate rights to read MYPROGRAM.C 

involves access to FILEONE. It is accompanied by the ACP. 65 and to write MYPROGRAM.O contingent upon the contin- 

In step 285 the client issues a second request that involves ued existence of Rl and R2 respectively. In step 322 the 

access to FTLETWO to the server via the same intermediary client issues its compilation request to the compute server. 
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accompanied by the ACP. Id step 324 the compute server executed repeatedly for values of i from 1 to n-1 inclusive, 

issues to the file server a request, accompanied by the ACP, In step 355 1, creates an ith ACP. In step 356 1, digitally signs 

to read MYPROGRAMC This request corresponds to this ACP to produce <P> / i. In step 357 1, issues its request 

request 306 in FIG. 2R In step 326, the file server executes to 1^,; all the ACPs created so far, that is, <P> 7 0 . . . <P> y i, 

the ACP. Rl exists and the ACP returns true. Ia step 328, the s are included in this request In step 358, I„ issues a request 

file server grants read access to MYFROGRAM.C to the to S and transmits all the ACPs, that is, <P>'0 . . . <P> 7 i, 

compute server. In step 329 the compute server proceeds to aloDg with the request. 

compile MYPROGRAMC Id step 330, the user decides not when the server S receives this request, it must check, by 

to compile after all, and accordingly the client eliminates calling P Q , that Iq has delegated rights to Ij. Similarly, by 

revocation object R2 in step 332 by requesting the file server 10 calling P lf S checks that l t has delegated rights to I^Intbe 

to destroy R2. In step 334 the file server complies with this general case, S has received a call from along with n 

request and destroys RZ In step 336 the compute server ACPs, ^^'O, <P!>'1, . . . ^.^^l. It proceeds as 

finishes compiling MYPROGRAMC In step 338 the com- follows: " 

pute server issues to the file server a request accompanied l. in step 360 S verifies the identity of In, the principal 

by the ACP, to write MYPROGRAM.O. This request car- 15 making the request 

responds to request 307 in FIG. 2E. In step 340 the ^ 2 . In step 362 S determines whether ^ has permission to 

server executes die ACP. R2 no longer exists and the ACP ^ & tM £ J^mplc, as 

returns false. In step 342, the file server denies write access - _ ^V 1 , n ^ . . . v , 

to MYPROGRAM.O to the compute server. This completes * *5*"* <*• ^ ' ' * >' , ^ _ 

the example 20 3. In step 364 S verifies that each P, is correctly signed by 

If revocation is used often, special support for revocation 4 ^ „ , . . . . _ _ 

objects can be provided by serWllielevocation objects 4 ^ ^/J"* " " ttn * S 

are cached in memory to allow quick checks by the ACPs. Y crifl< f ^ ^ fce required nghts to I*., 

The only operations on the cached revocation objects are f« values of i ranging from 0 to n-1 vn: 

Create, TesffccBristence, and Destroy, which, respectively, * S te**^^*Jp*PPr<>™ of the request by 

create, lest for die existence of, and destroy the revocation _ «™8 *o Ui. op, object, ■■)■ 

objects. Only the TestForExistence operation is available to S ^to^ whether I^aRaoves of the request by 

the ACPitsdf. calling P, (I,, op, object, . . . ). 

Another form of revocation is "use-once" semantics in S ' determines whether I, approves of the request by 

which an ACP is automatically revoked after it is used, calline Pi 0L. oo object ) 
rather man being available for reuse by the initiator. In the 

printer example given earlier suppose toe initiator wishes S ' determines whether U approves of the request by 
that the printer only be allowed to read the file to be printed calline P CL oo object ) 
oo^ Tills can be supported by aUowing ACPs to invoke the Thereafter, in stt£ 368S determines whema steps 34*, 362, 
^ 0 L O ^^^ n J?f S ^^^ Y ^ 1 ^ 364 t and aU executions of step 366 have succeeded. If so, S 
While this violates the prmciplethat ACPs should be free of executes the request in step 376. Otherwise execution pro- 
effects pemiimng an ACP to destroy m revocation C eeds at step 375 t in which access is denied and S refuses to 
objects can be considered safe enough and useful enough to execute the request 

warrant an exception to the rule. ^ The delegation of rights along the chain from mtermedi- 

Sall other revocation schemes are within the scope of the ary to intermediary can be represented by way of a formula, 

present invention. For example, a revocation object could be Let the initiator's set of rights be denoted as R. The set R 

a file that is associated with multiple ACPs and that contains specifies what operations the initiator is allowed to perform 

a list of tuples (ACP, revocation status). To check for 0 n which objects. Let DCU denote the rights delegated by 

revocation in this scheme, the ACP accesses its associated 45 intermediary I, via its ACP. Dflo) is the set of rights 

revocation object and determines whether its status is delegated by the initiator's ACP. Then the general formula 

revoked. In comparison with the one-ACP-per-revocation- for the set of rights obtained by the nth utermediary is 
object scheme described above, this scheme does not take 

full advantage of the fact that file servers typically are J s *'tfVo) nD ('i) r ^ • * nD 0^i) 

optimized to check very rapidly for the existence of files and ^ This formula says that the rights of mtennediary L are the 

are not optimized to search through data within files. rights of the initiator as restricted by aU the access control 

2.6 Chained delegation programs of the mtermediaries along the way Oncluding the 

initiator's). 

Now that the use of ACPs to delegate access rights to a Cascades of intermediaries can be more complex than the 

single intermediary has been described, next is considered 55 simple chain described here. For example, the present inven- 

the case of cascaded delegation among multiple intexmedi- tion contemplates situations in which multiple intermediar- 

aries. With reference to FIG. 3 A, after 1q has delegated rights ies execute in parallel as well as or in addition to a serial 
— to-I^-Ij-inay wish-tO-delegate some of these-rights to a —chain- Moreover, in any situation involving a cascade of 

"second intermediary, I^, To do so, I, writes a second ACPP lt " mtermediaries, some or all of the mtermediaries can have 

digitally signs it and sends both ACPs to ^ presents both & revocation objects associated with their ACPs. It will be 

ACPs to the server when it makes its request appreciated that these example situations are illustrative and 

The flowchart of FIG. 3B further illustrates the preceding are not intended to limit the invention's scope. 

steps, as well as the steps executed thereafter by the server ^ „ 

S.for the general case of n intermediaries. In step 350 3 ' A Specific Embodiment Using a Modified 

creates a first ACT. In step 352 !<, digitally signs this ACPto «s Version of the Andrew Pile System 

produce <P>'0. In step 354 Zq issues its request to I t ; <P>'0 Files represent a type of object mat is widely used and for 

i$ included in this request Steps 355, 356, and 357 are then which access control is crucial. An «*"»>wHmfn* of the 
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present invention has been built wherein ACPs have been ticket contains the session key along with timeout informa- 

integrated into a distributed file system called the Andrew tion and Iq's identity. 

File System (AFS). Aspects of AFS that are relevant to the In the specific embodiment of the present invention that 

present invention are described below. A more complete will now be described, the prior art AFS authentication 
description of AFS may be had by reference to the article by 5 protocol of FIG. 4 A is replaced by the protocol illustrated in 

J. Howard, M. Kazar, S. Menees, D. Nichols, M. the flowchart of FIG. 4B. The format of the authentication 

Satyanarayanan, R. Sidebotham, and M. West, "Scale and tickets used in AFS is modified so that they can optionally 

Performance in a Distributed Ffle System," ACM Transac- include an ACP. To obtain such a ticket, a client Iq proceeds 

Hons on Computer Systems 6(1):51-81, Feb. 1988. It is to be 35 follows: In step 460, the client ^ contacts an authenti- 
understood mat ACPs according to the method of the present to cation server AS. In step 462 the client 1^ requests from the 

invention find appUaMity with other file systems besides authentication server AS through a secure channel an 

AFS and with other types of servers besides file servers. authentication ticket for communicating with a file server & 

_ A ^ . . « . *_ ^ ^ Iq sends an access control program P along with the request 

The Append* to , flu application shows the modifications to AS. In step 464 the authentication server AS creates a 

!T^^5^^ u ^7 ^ m step 466 the authentication server AS 

f ^ ML release tape of the Mach operating 15 retums ^ ^ with a ticket that has been 

system) and Tool Command Language release 33 in order cncryptcd with me ^ server's key K_. AS includes the 

n c^*""? ^ C SCat w VCnb °^ m u C acccss ^ol program P in this tickeTTbe ticket, when 

Andrew File System as desoibed below. More about the transmitted to S, convinces S that AS believed L was the 

Appendix, induing copynght iMormanon, is discussed in aumor of P. This is the signature needed to convince S to use 
the section Software Appendix that appears near the 20 ^ c 

beginning of this application. Tickets in AFS are at most 2000 bytes long, which leaves 

3.1 IntegratinB ACPs into AFS room far 80 AQ> ^ a PP roximatel > r 1900 bvtcs to 

embodiment Variations of the embodiment can accommo- 

AFS is a distributed file system that operates in the M date larger ACPs through more substantial changes to the 

context of the Unix operating system. It allows for one or AFS protocol. There is an advantage, however, to keeping 

more file servers and one or more clients. Each client and ACPs short, namely, mat short ACPs are less apt to contain 

each server executes on its own separate node. All the clients pr ogramming bugs than are longer ACPs, and are therefore 

can communicate with all the servers via a communications more likely to be trustworthy. With short ACPs, the initiator 

network. Clients can act as mtermediaries with respect to ^ niinimizes the possibility that it will inadvertently give away 

one another through the use of a remote invocation facility, to intermediaries any access rights other than the ones it 

through which clients can execute Unix commands on other intends to give away. 

clients. Aside from generating ACPs and including them in 

AFS supports the caching of files, that is, the local requests to the authentication server, no changes are made to 

copying by a client of certain heavily used files that the 35 the AFS client in this embodiment of the invention. When 

client obtains from a server. When a client finds a current the AFS client obtains a ticket from the AS, the client passes 

copy of a file in its cache, it is spared the overhead of having the ticket to a server along with a file system request in the 

to go to the server to get the file. AFS has a cache manager usual manner. When a server receives a request that includes 

that maintains cache coherence; that is, the cache manager an ACP, it interprets the ACP to determine whether or not to 

ensures mat a client gets the correct version of a file and does 40 grant the request 

not mistake an obsolete cached version of the file for the The specific embodiment permits ACPs to be nsed in 

current version. For example, suppose that file FILEONB is conjunction with the existing remote invocation facility of 

on server SI. Client CI reads FILEONE and caches it AFS. This facility, which is a modified version of the Unix 

Thereafter client C2 writes a new version of FILEONE to rsh (remote shell) command, executes an arbi t rary Unix 

server SI. The next time client CI reads FILEONE, AFS 45 command on another workstation. FIG. 4C illustrates an 

must ensure mat CI reads the new version of FILEONE interaction in which an AFS client \y, uses the remote 

from server SI and ignores the now-obsolete version of invocation facility to run some command on intermediary I x . 

FILEONE stored in its cache. When the intermediary contacts the server, it presents the 

In the prior art AFS uses a combination of access control ticket containing the ACP. The server treats this as though 

lists and protection bits to control access to files, A variant so the initiator had made the connection, but restricts access as 

of the Kerberos protocol is used to authenticate clients. (A specified by the ACP. 

description of the Kerberos protocol is found in J. G. Steiner, The specific embodiment of the present invention in AFS 

B. C Newman, and J. L Schiller, "Kerberos: An Authenti- affords increased security over the unmodified AFS system, 

cation Service for Open Network Systems," in Proceedings AFS's version of rsh simply passes the user's authentication 

of the Winter 1988 USENDt Conference (Dallas, Tex., Feb. 55 ticket and session key to the mtermediary in the clear. The 

1988) at 191-201.) The protocol that AFS uses to authen- mtermediary, as well as an intruder eavesdropping on the 

ticate clie nts in the p rior a rt is as shown in the fl owchart of net can use the ticket to obtain the full rights of the initiator. 
"FIG. 4 A: In step 410~~achent Iq contacts an authentication "With" ACPs, these rights can be restricted and given short 

server AS. In step 412 the client 1q requests from the expiration times. 

authentication server AS an authentication ticket for com- 60 Variations on the specific embodiment can provide still 

munirating with a file server S. This request is made on a more security by incorporating means whereby the server 

secure channel (Secure channels are known in the prior art can independently authenticate the intermediary. For 

and are described, for example, in Denning, Cryptography example, in one such variation the server is passed two 

and Data Security supra,) In step 414 the authentication authentication tickets, one for the initiator, which contains 

server AS creates a session key K^. In step 416 the authen- 65 the ACP, and one for the intermediary. This provides addi- 

tication server AS returns the session key with a ticket tional security because the ACPs can Discriminate based on 

that has been encrypted with the file server's key K,. This the identity of the intermediary. 
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The specific embodiment permits an intermediary to 
receive or modify only data for which at least one of the 
client's users has access. For example, if the client is a 
workstation* at least one of the workstation's users most 
have access to the data. The embodiment does not ensure 
that data belonging to an individual user of the workstation 
is protected against unauthorized access by another user of 
the same workstation. This follows from the operation of the 
AFS cache manager at the workstation. Because a worksta- 
tion can be used by more than one user, the AFS cache 
manager duplicates the permission checks that the file server 
performs. This prevents a user from reading a file for which 
he has no access rights but that is in the cache due to another 
user on the same workstation. However, the intra- 
workstation security check sometimes fails to protect data 
properly. Variations on the embodiment can incorporate 
changes to the cache manager to ensure data protection for 
each individual user. 

3.2 An ACP language 

The specific embodiment of the invention in AFS uses Td 
as the language for writing ACPs. Td is suitable because it 
has a small re-entrant interpreter. Although Td delivers 
adequate performance, the Td interpreter is not optimized 
for speed. Other languages having faster interpreters can be 
used in variations of the specific embodiment Lisp is one 
possibility. The GNU Emacs lisp interpreter (described in 
R. Stallrnan, GNU Emacs Manual, supra) is 3-50 times 
faster than the Td interpreter, depending on the mix of 
integer and string operations. 

ACPs written in Td cannot make calls on the file system 
or modify the state of the server in any way. Nevertheless, 
they do have access to some informntion in addition to the 
requested operation and its actual parameters. This informa- 
tion includes a classification of the request as to whether it 
reads or writes data, the parent directory of the file being 
operated upon, and the current time. The classification 
information simplifies ACPs since they need not list all 
possible operations. The parent directory makes it conve- 
nient to write ACPs that restrict access to a single directory. 

The einbodirnent incorporates a few changes made to the 
Tel interpreter to protect the server from malidous or faulty 
ACPs. These changes indude a bound on the number of Tel 
statements that can be executed in an ACP, a bound on the 
amount of storage an ACP can allocate, and a bound on 
recursion depth. If an ACP exceeds any of these bounds, 
men it is terminated and treated as though it returned false, 
Le., access is denied. 

Following is a source code listing for a sample ACP 
written in Td that a user might want to use within the 
specific embodiment: 



/-Example 1*/ 

expr { 

{string compare Sopclsss 
-fctdr] = 0 

&& [sQmg CQBXpftIC SfijfJMlDC 

"Aacrf ocypapg'. p^ l =r 0 

&A .[firing compare Scalier 

•fiwT] =0 

} 



The user would intend the program to allow read access by 
user "fired" to a single file, M /user/joe/paperps**. Although 
the program appears at first to be a reasonable ACP, it does 
not actually work in this embodiment The reasons that it 
does not work are described in the next section. 
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33 Problems encountered in practice 

Three major problems prevent users from writing simple 
ACPs like that presented in the preceding source code 
5 listing. Although these problems are specific to AFS, they 
are worth discussing since they are representative of the 
types of difficulties that can be encountered in integrating 
ACPs into existing systems. 
First, an intermediary does not have an identity of its own. 

10 The AFS designers dedded to avoid the substantial admin- 
istrative overhead that would be entailed in establishing 
identities for all workstations and in handling key distribu- 
tion and protection. This is not unusual in existing systems. 
Therefore, even in a variation on the specific enmodiment in 

!5 which authentication tickets can be passed to the server as 
described above, the server cannot require an authentication 
ticket from the intermediary. Thus, an ACP cannot check the 
identity of the intermediary. 
Second, file servers in systems like AFS or NFS employ 

20 unique object identifiers (ids) instead of human-readable 
names in most of their access requests. ACPs must refer to 
these file identifiers. This requirement makes it substantially 
harder for humans to write ACPs than would be the case if 
the ACPs could refer to human-readable names. Moreover, 

25 this requirement prevents ACPs from checking whether a 
file name matches some pattern. For example, it may be 
desirable for an ACP to grant access to files having names 
of the form ***.o," where ***** is a wildcard, but not to files 
having names of the form ***x." This is not possible in the 

30 specific embodiment since ACPs are passed file ids rather 
than names. A variation of the specific embodiment can be 
constructed in which the server provides a mapping from 
object id to the appropriate human-readable name for an 
object However, the human-readable name for an object 

35 may not be unique since AFS allows symbolic links, that is, 
indirect references to files by means of human-readable 
names that point directly or indirectly to actual file identi- 
fiers. In this case the server must take care to map the object 
id to the appropriate name, probably the name under which 

40 a file was opened. Depending on the server, the information 
needed to dedde which mapping to use may or may not be 
available at the time an access request is made. 

Third, AFS clients are responsible for resolving a file's . 
pathname. Each of the directories from the root of the file 

45 system to the file name must be retrieved by the client 
workstation. Thus, an ACP mat wants to delegate read 
access to an individual file must also give read permission to 
the directories in the file's pathname. 
Following is a source code listing for a valid ACP that 

30 provides read access to file "ftser/joe/paper.ps*': 



/•Example 2*/ 

«pr{ _ 

[string compac $opcbss 
35 -fefc*T]=0 

8l& lug compare $fid 

-20000012 00000d24 OOOOUfcT] = 0 
|| [string o?iiii > 'H | r Sfld 

1 -20000001 00000001 00000032*] « 0 

Q [string compuc S6d 
60 -2000000a Q0000tt30 00OO24c2r] = O 

| [sting compare S&d 

-20000012 O0001b65 00000092-] = 0 

> 



65 In this program, the file id for "paper.ps" is "20000012 
00000d24 00001a8d". The ACP also includes the file ids for 
the w r, "user" and **joe n directories This ACP, which has the 
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same intended effect as die nonworfciDg one introduced 
above, works properly and actually can be used within the 
specific embodiment of the present invention in AFS. 

Users may find it cumbersome to write ACPs like that 
presented in the previous program (Example 2). A tool mat 
automatically converts an ACT like the one in Example i to 
one like Example 2 is thus desirable. Such a tool is outlined 
in a later section. 

3.4 Performance 

To determine the overhead of using ACPs in the specific 
embodiment, some simple experiments were performed. 
The first experiment consisted of measuring the elapsed time 
far a stat system call under various conditions, stat is a Unix 
command that returns information about a file, such as the 
file's owner, length and modification date. The stat system 
call causes the AFS client to make a FetchStatus RPC to the 
server to fetch a block of information about a file including 
such information as the owner, length, and modification 
date. FetchStatus is an AFS command that a client uses when 
synchronizing its cache. FetchStatus sends a message from 
the client to the server on which the file is stored. The server 
responds by providing the client with the file's owner, 
length, and modification date. The client uses this result to 
determine whether its cached version of the file is obsolete. 

Three cases were tested. In the first case no ACP is 
supplied with the stat calL In this case, the modifications to 
the AFS server have a negligible performance impact In the 
second case, an ACP is supplied that always returns true. In 
the third case, an ACP Is supplied that restricts writing to a 
particular directory. The source code listing for the ACP 
used in this third case is as follows: 



©xpr{ 



/•ACP for third tact case */ 



( (string compare $fiktype 

-(£r") = 0 
9t& [string cony re $6d 

-20000012 0000009d OOOOlaSa") = 0) 

J{s^n21£ CO^DpSDC ypj u^^ftfi rj 

-20000012 0000009d 00001a3^] = 0 
H string ii M inmit Sopdass 
-fetch"] = 0 

} 



This ACP allows changes to the directory (first clause), 
changes to files within the directory (second clause), and 
reads to any other files (third clause). In the test, the files 
referenced by the stat calls were not in the directory named 
by the ACP, so the ACP did three string comparisons. 
The test configuration comprised a Sun 4/110 running the 



access rights, possibly for an unbounded length of time. The 
complexity of creating the desired correct ACP can be 
addressed in at least two ways: ACP language support and 
the provision of ACP templates. 

A first approach to controlling complexity is through the 
incorporation of default provisions into ACPs. A variety of 
default provisions are desirable in most or even all ACPs. 
These include expiration times, intended users, and intended 
access scope. Rather than forcing ACP writers to specify 
these checks procedurally in each ACP, the ACP language 
can provide a declarative section in which the. relevant 
values can be succinctly specified, with approp r i ate default 
values being supplied in their absence, 

A second approach to controlling complexity is to place 
the burden of generating correct ACPs on the application 
and server writers instead of the application user. The 
application writer is more likely than the user to know the 
implementation details of the intermediary, and hence to 
know which access rights need to be delegated. This second 
approach, then, assumes that the application and server 
writers can be trusted to provide safe ACPs and that the 
principal culprits to safeguard against are individual 
instances of machines or services claiming to be something 
that they are not. 

The print program described earlier serves as an example 
of this second approach. The publicly available print soft- 
ware (stored on a safe file server) is responsible for gener- 
ating an ACP that gants access only to the file to be printed. 
The application writer can generate ACPs by providing a 
template that instantiates into a specific ACP at runtime. This 
template consists of an ACP that is written in advance by the 
application author, with slots to be filled in with usage 
parameters. The print ACP template can itself employ lower 
level templates provided by the file servers it knows about 
Some example templates are: 
ReadOneF0e<name, lifetime, user) 
restrict reading to the file given by name; access may 
only be by user and must occur before lifetime. Both 
lifetime and user can have default values 
ReaoX>nly(uTetime, user) 

restrict rights to the user's read rights. 
wnteIiiDir(dh~ectory, lifetime, user) 
restrict writing to a single directory 
45 When one of these is instantiated, it becomes an ACP with 
the arguments hard-coded in. 

5. Additional Aspects of the Invention 
Several additional aspects of the invention will now be 
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ATxT«n ZLa u w ^ a 7" vluumu 6 " 6 50 presented These aspects are presented by way of illustration 

AFS file server code and a Sun SparcStation 2 running the *~ . ^ . Wrt -1", _ / o _ , 

i« * . a /i 1 /\ i . i . " j . ana are in no way intended to limit the scope or the 
client code. The 4/110 is roughly half the speed of the 

SparcStation 2. The results of running the test are shown in 



Table 1. 



TABLE 1 



Fhrwrd times for sett cill mu 


ier various conditions. 




Tfcst Cue 


Execution Tine 


No ACP 


7.7 ms 




ACP thai returns M tnifi** 


9.5 ms 




ACP in. FK). 7 


\1£ ms 





4. Coping with ACP Complexity 

The general nature of ACPs makes them both powerful 
and dangerous. A simple coding bug can grant un desired 



way intended to limit the scope 

invention. 

ACPs according to the method of the present invention 
are useful for delegation in other settings beyond the context 
55 of distributed systems. One such setting is a system in which 
client and server are processes running on the same com- 

puter or workstation rather man on two or mare physically 

separate computers. For example, consider a workstation 
user that has just received a large program from a mailing list 
60 and wants to run that program. The user is not completely 
sure he can trust mis software; for example, the user is 
concerned that the software may be infected by a software 
virus, or that it may attempt to execute another program 
without the user's knowledge. However, the user knows 
65 which flies the software should write and execute if it works 
correctly. According to the method of the present invention, 
the user creates an ACP and attaches it to an invocation of 
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the program, Id this aspect of the inventioii, the initiator is 
the user's command processor, the intermediary is the 
untrusted software, and the server is the local operating 
system. Because the ACPs can be managed securely by the 
operating system, digital signatures are not required. 

Another example of the use of ACPs in a nondistributed 
system concerns setuid programs. Many operating systems 
have a facility that allows a user to delegate his rights to a 
program known as a setuid program. When the setuid 
program runs, it executes with the rights of the owner of the 
program file instead of the rights of the invoker. A typical 
Unix system, for example, has many of these programs that 
run as the so-called super-user, who has unlimited access 
rights. Bugs in these setuid programs are a major source of 
security weaknesses. A malicious user can exploit a bug in 
such a program to cause it to read, modify, ox execute some 
file that the program author did not intend it to reference. 

An ACP attached to a setuid program can limit the 
damage caused by a bug therein. In principle, the attachment 
of the ACP provides no additional protection since the 
system administrator is responsible far both the setuid 
program and the ACP. In practice, however, the ACP can be 
maHf much simpler than the setuid program. This simplicity 
can give the system administrator confidence that the com- 
bination of the setuid program and the ACP is less likely to 
have a damaging bug than the setuid program alone. 

ACPs can be used to provide a limited form of setuid 
functionality in a distributed system. A game program run- 
ning in a distributed system can have an embedded ACP mat 
allows any user to modify the high score file. When the game 
wishes to modify the score file, it uses this ACP, running as 
whoever invoked the game. In principle, an intruder could 
look in the program, decode it, and extract the ACP. But if 
he did, all the intruder would get would be the ability to 
modify the high score file for this particular game. The 
alternative far a network setuid facility would be to encode 
something equivalent to the author's full rights, such as his 
password, in the program. Use of the ACP limits the damage 



26 



10 



the request An ACP cannot grant rights that its creator did 
not possess; it can only restrict these rights. 

ACPs can be incorporated into current systems to aug- 
ment such systems* existing access control facilities. Typi- 
cally this incorporation requires only digital signatures, 
two-party authentication, and an interpreter for the ACP 
language. The exact implementation in each case depends on 
the specifics of the underlying system. One of the strengths 
of the ACP design is that it places no assumption on the type 
of access control provided by the system or on the authen- 
tication protocol employed. ACPs can be used with both 
public and private-key based security mechanisms. 

All decisions about the rights delegated by an ACP are 
incorporated into the ACP itself, including who is allowed to 
!5 use the ACP and far how long. Because ACPs bear the 
power of a full jrograinming language, a wide range of 
access control policies can be implemented by clients with- 
out the involvement of servers. Because ACPs are fully 
contained and digitally signed, they can be freely passed 
20 around. Typically, a client will pass an ACP along with an 
operation request or with a connection setup request. 
However, ACPs can also be published, in which case, a 
request need only identify which ACP authorizes it 
The power of ACPs must be used carefully. In particular, 
23 servers must protect themselves from malicious or buggy 
ACPs. Creators of ACPs must take care to avoid inadvert- 
ently delegating excessive rights. Servers can protect them- 
selves by using a carefully coded interpreter. The use of 
templates and ACP language defaults as described above can 
30 aid the construction of correct ACPs. 

A general problem of restricted delegation is that the 
initiator must know enough about the implementation of the 
intermediary to delegate the appropriate set of access rights. 
Clients tend to think in terms of high-level operations, such 
35 as **print this file", while the accesses made by intermedi- 
aries to servers involve lower-level operations, such as u stat 
this directory then retrieve the file with mis unique ID." ACP 
translation tools-mat is, software tools that translate an ACP 



t , program expressed in a form convenient for the programmer 

if the program is decoded For certain applications, this can ^ mU> ^ ACP program expressed in a form usable by the 
— - server-can be written to provide help in coping with this 

problem. 

Although the above is a complete description of certain 
embodiments and aspects of the invention, various 



provide adequate security. 

6. Conclusion 



Access control programs (ACPs) permit controlled del- 
egation of access rights to untrusted computer hosts. If an 45 alternatives, modifications, and equivalents can be used. 



initiator of an action does not fully trust an mtermediary, 
then it can create an ACP and pass it to the intermediary. The 
ACP is executed at a server for each request made by the 
untrusted intermediary and decides whether or not to allow 



Therefore, the above description should not be taken as 
limiting the scope of the invention. Rather, the scope of the 
invention is defined by the appended claims along with the 
full scope of equivalents to which these claims are entitled. 



01/09/2003, EAST 



Version: 1.03 . 0002 



27 



5,649,099 



28 




XEROX 



nichols 

Document name: Diffs 

Printing date/time: June 2. 1993 11:45:57 am PDT 

Host name: osprey 



This file, "Diffs," represents the differences in source code 
between release 3 of the Andrew File System (as it appeared on 
the August 19, 1990 Mt. Xinu release tape of the Mach operating 
system) and a modified version of release 3 of the Andrew File 
System, described elsewhere in this application, that embodies 
the method of the present invention. 

The modifications made to Andrew File System release 3 (as it 
appeared on the August 19, 1990 Ht. Xinu release tape of the Mach 
operating system) in order to produce the embodiment of the 
present invention in a modified version of the Andrew File Systen 
as described elsewhere in this application represent original 
unpublished work of Xerox Corporation- This original unpublished 
work is copyright °1991 Xerox Corporation. All rights reserved. 
Copyright protection claimed includes all forms and matters of 
copyrightable material and information now allowed by statutory 
or judicial law or hereafter granted, including without 
limitation, material generated from the software programs which 
are displayed on the screen such as icons, screen display looks, 
etc. 



nichols 




C05d: Mon May 24 12:24:03 PDT 1993 Job #588 
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XEROX 



nichols 



Document name: 
Printing date/time: 
Host name: 



TCLDiffs 

June 2, 1993 1 1 :46:57 am PDT 
os prey 



This file, "TCLDiffs," represents the differences in source code 
between release 3.3 of Tool Command Language and a version of 
Tool Command Language modified from release 3.3 to support the 
embodiment of the present invention in a modified version of the 
Andrew File System as described elsewhere in this application. 

The modifications made to release 3.3 of Tool Command Language in 
order to produce the embodiment of the present invention in a 
modified version of the Andrew File System as described elsewhere 
in this application represent original unpublished work of xerox 
Corporation. This original unpublished work is Copyright °1991 
Xerox Corporation. All rights reserved. Copyright protection 
claimed includes all forms and matters of copyrightable material 
and information now allowed by statutory or judicial law or 
hereafter granted, including without limitation, material 
generated from the software programs which are displayed on the 
screen such as icons, screen display looks, etc. 
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C05d: Mon May 24 12:24:03 PDT 1993 
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What is claimed is: 

1. In a compiling system comprising a server, a client, 
and at least one intermediary, a method of processing an 
ultimate request to the server, the ultimate request being 
delivered to the server as the finAl request in a rhain 
comprising at least two linked requests, the client and all the 
intermediaries each being associated with one linked request 
of the chain, the intermediary that delivers the ultimate 
request to the server being the final intermediary in the chain 
and being designated as the requestor, the method compris- 
ing the steps of: 

using the requestor to present to the server the niHnmti* 
request in conjunction with at least one executable 
access control program comprising at least one 
sequence of computer program instructions, the access 
control program being executable by a processor to 
express a specification of a set of access rights; 

using the server to execute each access control program 
thus presented, each access control program being 
executed in a manner such that said access control 
program is prevented from compromising server secu- 
rity; and 

if and only if the execution of each access control program 
thus presented is successful, using the server to execute 
the ultimate request in a manner consistent with the set 
of access rights, any access rights not in the set of 
access rights not being delegated to any intermediary 
nor being granted by the server. 

2. In a system comprising a client, a server, and one or 
more interrnediaries that the client does not trust, a plurality 
of communications channels mat connect the client, the 
server, and the mtennediaries, one or more computing 
nodes, and a communications network, a method for per- 
forming a request issued by an intermediary to the server on 
behalf of the client, the method comprising the steps of: 

using the client to create a client request; 

using the client to create an executable access control 
program, the access control program comprising at 
least one sequence of computer program instructions, 
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using the client to create the client request; 

using the client to create an executable access control 
program comprising at least one sequence of computer 
program instructions executable by a processor, the 
access control program being executable to express a 
specification of a set of access rights to be delegated 
from the client to the first intermediary, any access 
rights not in the set not being delegated to the first 
intermediary; 

using the client to associate the access control program 

with the client request; 
using the client and a communications channel from the 

client to the first intermediary to transmit the client 

request and its associated access control pi ogi am from 

the client to the first intermediary; 
using the first intermediary to generate a first intermediary 

request; 

using the first intermediary and a communications chan- 
nel to issue the first mtermediary request and to trans- 
mit the access control program along with the first 
intermediary request thus issued; 
using the server to receive a service request and the access 

control program; 
using the server to make a determination whether the 
client approves the service request by performing a test 
that comprises the steps of: 
using the server to execute the access control program, the 
access control program being executed in a manner 
such that the access control program is prevented from 
compromising server security; and 
using the server to check a value returned by the access 

control program thus executed; and 
if and only if the detenmnation thus made by the server 
is that the client approves the service request, using the 
server to execute the service request, and otherwise 
using the server to deny the service request 
4. The method of claim 1 wherein the number of inter- 
mediaries is exactly one, wherein the first mtermediary 



the access control program bdng executable by a „ ™ ^ £7^~ '^^7^*7^1 
processor to express a specification of an arbitrary set ? . ^ , TV , 

c ~ • Cl\ i , i A . - . _ \_ wherein the communications channel used by the first inter- 

of access rights to be delegated from the client to a first ^ . _ . 4 ^ ~Z 

mediary to issue the first intermediary request connects the 



intermediary untrustcd by the client, any access rights 
not in the set not being delegated to the first interme- 
diary; 

using the client to associate the access control program 
with the client request; 

in response to the client request, using the first interme- 
diary and zero or more additional intermediaries 
untrusted by the client to issue intermediary requests, 
all these intermediary requests being accompanied by 
the access control program; 

receiving a final mtermediary request in the server; and 

using the server to execute the access control program in 
order to determine whether or not to grant the final 
intermediary request, the access control program being 
executed in a manner such mat the access control 
program is prevented from compromising server secu- 
rity. 

3. In a system comprising a client, a server, a number of 
intennediaries, the number being greater than or equal to 
one, a plurality of communications channels that connect the 
client, the server, and the mtennediaries, and computing 
hardware to execute the client server, and intermediaries 
and to support the comrnunication channels, a method for 
performing a client request issued by the client to a first 
intermediary, the method comprising the steps of: 
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first intermediary directly with the server, such that when the 
first intermediary issues the first intermediale request, the 
first intermediate request is transmitted directly to the server. 

5. The method of claim 3 wherein the access control 
program is a procedure that takes as parameters a caller, an 
operation being performed, and any arguments required for 
this operation, and that returns an indication of whether or 
not the operation is allowed 

6. The method of claim 3 additionally comprising the step 
of using the client to digitally sign the access control 
program with a digital signature associated with the client, 
and wherein the step of using the server to make a deter- 
mination whether the client approves the service request 
further comprises an additional test of using the server to 
verify that the access control program bears a digital signa- 
ture mat is authentic and that is the client's. 

7. The method of claim 3 wherein the step of creating an 
access control program is performed independently of the 
server. 

8. The method of claim 3 wherein the step of creating an 
access control program is performed at run time contempo- 
raneously with the step of creating the client request. 

9. The method of claim 1 wherein the number of inter- 
mediaries is strictly greater than one, wherein the interme- 
diaries are ordered in an order from first to last, and: 
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a) wherein the step of using the first intermediary and a intermediary to designate an additional revocation object 
communications channel to issue the first intermediary associated with a right to be delegated that is among the 
request and to transmit the access control program rights of the set of access rights of the specification of the 
along with the first intennediary request thus issued additional access control program. 

further comprises the additional steps of: 5 12. The method of claim 3 wherein the access control 

for each intermediary except the last: program is a computer program written in a programming 

using the intermediary to choose a next intermediary; language. 

using the intermediary to create an additional inter- £3, xhe method of claim 12 wherein the prograinming 

mediary request; language is a Turing-complete language and wherein the 

using the intermediary to create an additional execut- 10 access control program provides a functionality not provid- 

able access control program comprising at least able by an access control program written in a language that 

one additional sequence of computer program is not Turing-complete, 

instructions executable by a processor, the addi- 14 The method of Haim 13 wherein the 

tional access control program being executable to language is an interpreted language and wherein the access 

express a specification of a set of access rights to 15 control program is an interpreted program, 

be delegated from the intermediary to the next 15. xhe method of claim 12 in which the programming 

mtermediary, any access rights not in said set not language is an extension language and the server provides a 

being delegated to the next intermediary; core set of access control concepts, and wherein the access 

using the intermediary to associate the additional control program extends the core set of access control 

access control program with the additional inter- 20 concepts provided by the server. 

mediary request; and 16. The method of claim 12 wherein the prograrmriing 

using the intermediary and a communications chan- language includes control constructs and the server has state 

nel from the intennediary to the next intermediary information that the server makes available to the access 

to transmit the access control program, the inter- control program, and wherein the access control program 

mediary request and its associated additional 25 Includes multiple possible paths of execution and thereby 

access control program, and all additional access provides a conditional access right that is conditioned on the 

control programs already created by other state information thus ™ a Hp available, 

intermediaries, from the intermediary to the next 17. The method of claim 3 further comprising the step, 

intermediary; performed by a programmer, of using a template to specify 

b) wherein the step of using the server to receive a service 30 portions of the access control program to be created by the 
request and the access control program further com- client. 

prises the steps of: 18. The method of claim 3 wherein the server is chosen 

using the last mtermediary to generate the service from the group a file server, a database server, a print server, 

request; and an input/output server, or a compute server, 

using the last intermediary to issue the service request 35 19. The method of claim 3 wherein the client is a user 

to the server and to transmit the access control command process associated with a user, the first interme- 

piogiam and all additional access control programs diary is an untrusted program, and the server is an operating 

created by other uterrnediaries to the server, and system in the context of which the user command process 

c) wherein the step of using the server to make a deter- executes and the untrusted program is to be executed, 
ruination whether the client approves the service 40 20. The method of claim 3 wherein the at least one 
request further comprises using the server to mate sequence of computer program instructions is a sequence of 
additional determinations whether all intermediaries computer program instructions executable by a processor 
except the last approve the service request by perform- after conversion into a machine-executable form, and further 
ing additional tests, one additional test for each inter- comprising the step of converting the sequence of computer 
mediary except the last each additional test cotriprising 45 program instructions into the inachine-cxccu table form, 
the steps of: 21. The method of claim 20 wherein the converting step 
using the server to execute the additional access control comprises interpreting the sequence of computer program 

program associated with the intennediary, said addi- instructions with a safe interpreter, 

tional access control program being executed in a 22. Hie method of claim 20 wherein the at least one 

manner such that said additional access control pro- so sequence of computer program instructions is a sequence of 

gram is prevented from compromising server secu- computer program instructions written in an interpreted 

rity; and programming language, and wherein the converting step 

using the server to check a value returned by the comprises interpreting the sequence of computer program 

additional access control program thus executed. instructions. 

10. The method of claim 9 additionally comprising the 55 23. The method of claim 3 wherein the at least one 
step, executed tor each intennediary except the last, of using sequence of computer program instructions is a sequence of 
mel mtermediary. to digitally .sign the_addirional access . computer program instructions directly executable by a 

"control program with a digital signature associated with the processor. 

mterxnediary, and wherein each additional test performed 24. The method of claim 3 wherein the step of using the 

during the step of using the server to make additional 60 server to execute the access control program in a manner 

Determinations whether all intenxiediaries except the last such that the access control program is prevented from 

approve the service request further comprises the step of compromising server security comprises accessing server 

using the server to verify that the additional access control resources with the access control p r o gr am only in a manner 

programs bear digital signatures that are authentic and that in which the client would be authorized to access the server, 

are the intennediaries'. ' 65 25. The method of claim 3 wherein the step of using the 

11. The method of claim 9 further comprising the step, server to execute the access control program in a manner 
performed for each mterroediary except the last of using the such that the access control program is prevented from 
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compromising server security comprises invoking with the 
access control program only server system operation hawing 
no undesired side effects, regardless of whether the server 
grants or denies access. 

26. In a system comprising a diem, a server, a number of 5 
intermediaries, the number being greater than or equal to 
one, a plurality of communications channels that connect the 
client, the server, and the intermediaries, and computing 
hardware to execute the client, server, and intermediaries 
and to support the communication channels, a method for 10 
perfonning a cHent request issued by the client to a first 
intermediary, the method comprising the steps of: 

using the client to create the client request; 

using the client to create an executable access control 
program, the access control program encoding a speci- 15 
fication of a set of access rights to be delegated from the 
client to the first intermediary; 

using the client to digitally sign the access control pro- 
gram with a digital signature associated with the client; 

using the client to associate the access control program 20 
with the client request; 

using the client and a corinnunications channel from the 
client to the first intermediary to transmit the client 
request and its associated access control program from 
the client to the first intermediary; 23 

usiiig the first mtermediary to generate a first mtrrmrdiary 
request; 

using the first intermediary and a cornmunications chan- 
nel to issue the first intermediary request and to trans- 
mit the access control program along with the first 
intermediary request thus issued; 

using the server to receive a service request and the access 
control program; 

using the server to make a detennination whether the 35 
client approves the service request by perfonning a test 
that comprises the steps of 

using the server to execute the access control program, 
and 

using the server to check a value returned by the access ^ 
control program thus executed, 
rxrfbrming an additional test comprising the step of 

using the server to verify that the access control pro- 
gram bears a 

digital signature that is authentic and that is the client's, 45 
and performing two further additional tests of 
using the server to verify the identity of the first 

intermediary, and 
using the server to verify that the client has the rights 

mat it purports to delegate via the access control so 

program; and 

if and only if the determination thus made by the server 
is that the client approves the service request, using the 
server to execute the service request, and otherwise 
using the server to deny the service request 53 

27. In a system comprising a client, a server, a number of 
mtecnediaries, the number being greater than or equal to 
one, a plurality of communications channels that connect the 
client, the server, and the intermediaries, and computing 
hardware to execute the client, server, and intermediaries 60 
and to support the coinixuuucation channels, and addition- 
ally comprising an authentication server, an additional com- 
munications channel between the authentication server and 
the client, and computing hardware to execute the authen- 
tication server and the additional cornmunications channel, 65 
a method for performing a client request issued by the client 

to a first intermediary, the method comprising the steps of: 
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using the client to create the client request; 

using the client to create an executable access control 
program, the access control program encoding a speci- 
fication of a set of access rights to be delegated from the 
client to the first intermediary; 

using the client to associate the access control program 
with the client request; 

using the client to request an authentication ticket; 

using the additional communications channel to transmit 
the request for the authentication ticket to the authen- 
tication server, 

using the authentication server to issue an authentication 
ticket; 

using the additional communications channel to transmit 

the authentication ticket to the client; 
using the client and a communications channel from the 

client to the first intermediary to transmit the client 

request and its associated access control program from 

the client to the first intermediary; 
using the first intermediary to generate a first ktermediary 

request; 

using the first intermediary and a communications chan- 
nel to issue the first mtennediary request and to trans- 
mit the access control program along with the first 
intermediary request thus issued; 

using the server to receive a service request and the access 
control program; 

using the server to make a determination whether the 
client approves the service request by rxaforming a test 
that comprises the steps of 

using the server to execute the access control program, 
and 

using the server to check a value returned by the access 
control program thus executed; and 
If and only if the determination thus made by the server 
is that the client approves the service request, using the 
server to execute the service request, and otherwise 
using the server to deny the service request 

28. The method of claim 27 wherein the additional 
communications channel is a secure channel. 

29. The method of claim 27 wherein the step of using the 
server to make a detennination whether the client approves 
the first intermediary request further comprises an additional 
test of using the server in conjunction with the authentica- 
tion server and a channel between the server and the 
authentication server to verify that the access control pro- 
gram is authentic and is the client's. 

36. The method of claim 29 wherein the channel between 
the server and the authentication server is a secure channel. 

31. In a system comprising a client, a server, a number of 
intermediaries, the number being greater man or equal to 
one, a plurality of communications channels that connect the 
client, the server, and the mtennediaries, and coinputing 
hardware to execute the client, server, and interrnediaries 
and to support the communication channels, a method for 
performing a client request issued by the client to a first 
intermediary, the method comprising the steps of. 
using the client to create the client request; 
using the client to create an executable access control 
program, the access control program encoding a speci- 
fication of a set of access rights to be delegated from the 
client to the first intermediary; 
using the client to associate the access control program 
with the client request; 
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using the client and a communications channel from the 
client to the first intermediary to transmit the client 
request and its associated access control program from 
the client to the first intermediary; 

using the first intermediary to generate a first intermediary 
request; 

using the first intermediary and a commxinicatioQS chan- 
nel to issue the first intermediary request and to trans- 
mit the access control program along with the first 
intermediary request thus issued; 

using the server to receive a service request and the access 
control program; 

using the server to make a determination whether the 
client approves the service request by performing a test 15 
that comprises the steps of 

using the server to execute the access control program, 
and 

using the server to check a value returned by the access 
control program thus executed; 20 

If and only if the determination thus made by the server 
is that the client approves the service request, using the 
server to execute the service request, and otherwise 
using the server to deny the service request; 

using the client to H^ignrf^ a revocation object at the 25 
server associated with a right to be delegated that is 
encoded in the specification of the access control 
program; 

if and only if the server executes the service request, using 
the server to test for the existence of the revocation 
object thus ^ignafrrd; and 

if and only if the server finds that the revocation object 
exists, using the server to grant the delegated right 
associated with the revocation object, and otherwise 
using the server to deny the delegated right associated 
with the revocation object 

32. The method of claim 3 1 further comprising (he step of 
using the client to revoke the right associated with the 
revocation object by eliminating the revocation object prior ^ 
to the server's execution of the service request 

33. The method of claim 31 wherein the server is a file 
server and the revocation object is a file stored by the server. 

34. The method of claim 31 wherein the client designates 
the revocation object independently of the server. 

35. The method of claim 31 wherein the client designates 
the revocation object at run time contemporaneously with 
the step of creating the client request 

36. In a distributed file system comprising a plurality of 
nodes, each node comprising a processor and memory, a 
plurality of processes including at least one client, at least 
one file server, and at least one intermediary, each process 
executing on its own unique node, and a plurality of com- 
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munications channels that connect the processes to one 
another, a method for performing a client request issued by 
the client to the intermediary, the method comprising the 
steps of: 

using the client to create the client request; 

using the client to create an executable access control 
program, the access control program encoding a speci- 
fication of a set of access rights to be delegated from the 
client to the intermediary; 

using the cheat to digitally sign the access control pro- 
gram; 

using the client to associate the access control program 
thus digitally signed with the client request; 

using the client and a cornmunications channel from the 
client to the intermediary to transmit the client request 
and its associated access control program from the 
cHent to the mtermediary; 

using the intermediary to generate an intermediary 
request; 

using the intermediary and a communications channel to 
issue the mtermediary request and to transmit the 
access control program along with the intermediary 
request thus issued; 

using the server to receive a sendee request and the access 
control program; 

using the server to make a determination whether the 
access control program is valid by performing a test 
that comprises the steps of: 

using the server to verify mat the access control pro- 
gram bears a digital signature that is authentic and 
that is the client's; 

using the server to verify the identity of the first 
intermediary; and 

using the server to verify that the client has the rights 
that it purports to delegate via the access control 
program; 

if and only if the server thus determines that the access 
control program is valid, using the server to make a 
determination whether the client approves the service 
request by performing a test that comprises the steps of: 
using the server to execute the access control program; 
and 

using the server to check a value returned by the access 
control pi ugi am thus executed; and 
if and only if the determination thus made by the server 
is mat the client approves the service request, using the 
server to execute the service request, and otherwise 
using the server to deny die service request 
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